pub trait TransportOwnershipProof: Send + Sync {
// Required methods
fn make_ownership_proof_payload(&self) -> Option<Bytes>;
fn prove(&self, peer: &Peer, proof_payload: &[u8], now: TimeMillis) -> bool;
}Expand description
A per-transport rule for producing our own proof bytes (announce-out) and verifying
other peers’ proof bytes (announce-in). A single Arc<dyn TransportOwnershipProof>
lives on a TransportServer and is used for both directions.
Required Methods§
Sourcefn make_ownership_proof_payload(&self) -> Option<Bytes>
fn make_ownership_proof_payload(&self) -> Option<Bytes>
Announce-out: produce the proof bytes for our own announce. Returns None if we
can’t currently prove ownership — e.g. an HTTPS server that hasn’t completed its
first ACME issuance yet. Callers (maintain_kademlia) treat None as “skip this
announce tick, try again next interval”.
Returns Bytes rather than Vec<u8> so the produced payload elides cleanly into
the project’s BytesGatherer-based wire aggregation without an extra copy.
Sourcefn prove(&self, peer: &Peer, proof_payload: &[u8], now: TimeMillis) -> bool
fn prove(&self, peer: &Peer, proof_payload: &[u8], now: TimeMillis) -> bool
Announce-in: validate proof_payload (bytes pulled out of an inbound AnnounceV2)
against peer. Returns false if the bytes can’t be deserialised by this impl
(wrong transport / corrupt blob) or if the proof fails verification (expired cert,
wrong-IP SAN, …).
V2 only guarantees “someone managed to issue a public-CA cert for peer.address”.
A peer that borrows a stranger’s chain (the chain is public — every TLS
handshake leaks it) passes this gate, but any RPC the receiver then sends to
peer.address reaches the real server with the real identity at that IP, and the
response-side identity mismatch trips the existing prune path. V2 specifically
blocks the original dodgy-peer case (peer has no valid cert at all).